Headline
RHSA-2023:0953: Red Hat Security Advisory: python3.9 security update
An update for python3.9 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-45061: A vulnerability was discovered in Python. A quadratic algorithm exists when processing inputs to the IDNA (RFC 3490) decoder, such that a crafted unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor, which could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied hostname.
Synopsis
Moderate: python3.9 security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for python3.9 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Security Fix(es):
- Python: CPU denial of service via inefficient IDNA decoder (CVE-2022-45061)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for x86_64 9 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
- Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
Fixes
- BZ - 2144072 - CVE-2022-45061 Python: CPU denial of service via inefficient IDNA decoder
Red Hat Enterprise Linux for x86_64 9
SRPM
python3.9-3.9.14-1.el9_1.2.src.rpm
SHA-256: 466a54fd6ecb15a9dfb03c1e78ae439abb1d70de1901907a1f32a0d08ce1ba86
x86_64
python-unversioned-command-3.9.14-1.el9_1.2.noarch.rpm
SHA-256: 618b8f1198c5134a98a21d7672c0a632902a20b6defc978731eaff5b7086a03c
python3-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: c595cbcea9f6a9f9e6ab66296755ec55ae530c33b311bfd06356924e450cfe10
python3-devel-3.9.14-1.el9_1.2.i686.rpm
SHA-256: c14de00d70e83f8c802dadac93622db0936d6a9a2d298e52e7308502fb081510
python3-devel-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 1c94f82cdd9edaeb5945b6bbb1702febc5945970862bb072b4456713a4f40f27
python3-libs-3.9.14-1.el9_1.2.i686.rpm
SHA-256: 851ea6cb52a3cfeb21e5dc910bcb472b730809a1aa70ff93be940bd835015da1
python3-libs-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 476b5b2e96ddc5886265abe77b3829fb1abaee3265e97e1c5d5a2c6497081916
python3-tkinter-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 890842aa929871a5eab724fdcd3a2ac12e5a1fe756206a82c1f28b53be31b03a
python3.9-debuginfo-3.9.14-1.el9_1.2.i686.rpm
SHA-256: e47694ba863a943d0ba16961f9bada4bb12a47407a5f18c1a49ef38149ab3b73
python3.9-debuginfo-3.9.14-1.el9_1.2.i686.rpm
SHA-256: e47694ba863a943d0ba16961f9bada4bb12a47407a5f18c1a49ef38149ab3b73
python3.9-debuginfo-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 1febc1b0f1895fdbb3b75f620dc7deba1e97aefc1db2571fafd88e59c56dc10f
python3.9-debuginfo-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 1febc1b0f1895fdbb3b75f620dc7deba1e97aefc1db2571fafd88e59c56dc10f
python3.9-debugsource-3.9.14-1.el9_1.2.i686.rpm
SHA-256: f5be67ba51aaa1361708c4f0ee8a4e8be5488f789e9c2ef7768efb3c178d6413
python3.9-debugsource-3.9.14-1.el9_1.2.i686.rpm
SHA-256: f5be67ba51aaa1361708c4f0ee8a4e8be5488f789e9c2ef7768efb3c178d6413
python3.9-debugsource-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 6579d0fc52846523ae07c0ce4f8194fff6e390a20e7e3507b546d5725a046e94
python3.9-debugsource-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 6579d0fc52846523ae07c0ce4f8194fff6e390a20e7e3507b546d5725a046e94
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
python3.9-3.9.14-1.el9_1.2.src.rpm
SHA-256: 466a54fd6ecb15a9dfb03c1e78ae439abb1d70de1901907a1f32a0d08ce1ba86
s390x
python-unversioned-command-3.9.14-1.el9_1.2.noarch.rpm
SHA-256: 618b8f1198c5134a98a21d7672c0a632902a20b6defc978731eaff5b7086a03c
python3-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 9e075547875777282975cccd21e852b4e01601216ca6e01bebdf16f30984d08c
python3-devel-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: b016c18ec63e1bc65ff2c8ccf3c9fc4598e9d49a1770baf6f653dc2fd609bdae
python3-libs-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 7a80949fd3370b70f1dde5700b8275a6c2a08ee5048fa6e787c328851d9ff1b9
python3-tkinter-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 2d06f4d90eac64cd5c33e33479e8948778eafec88c8c4a8827da46ab40da7800
python3.9-debuginfo-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 9783c3a46a13e11ff8118cb7494a262a9c83bf65304b1615ba357c1f26a88f5e
python3.9-debuginfo-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 9783c3a46a13e11ff8118cb7494a262a9c83bf65304b1615ba357c1f26a88f5e
python3.9-debugsource-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 408f96a8e82ee7cb173dc3e3a0d620378a62268bd98b8a46627ca9d5891d9f1a
python3.9-debugsource-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 408f96a8e82ee7cb173dc3e3a0d620378a62268bd98b8a46627ca9d5891d9f1a
Red Hat Enterprise Linux for Power, little endian 9
SRPM
python3.9-3.9.14-1.el9_1.2.src.rpm
SHA-256: 466a54fd6ecb15a9dfb03c1e78ae439abb1d70de1901907a1f32a0d08ce1ba86
ppc64le
python-unversioned-command-3.9.14-1.el9_1.2.noarch.rpm
SHA-256: 618b8f1198c5134a98a21d7672c0a632902a20b6defc978731eaff5b7086a03c
python3-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: d361c1eb53d9ae5e51324d9bf566cbb88b021df6bb5571073c2d4ce3dcc23caa
python3-devel-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: 7d76f5d7c419eaf3947fb208770948f1d0b318dfb9b98c3b84f5db9a02956715
python3-libs-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: 04ade49d5f312da3c06fb0bdec2f1188607e2bab0084f965c7883c6d5679ca96
python3-tkinter-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: 21d49d05ad76fd4d49e58d95e7da47c2dea3d39593d3c76decd2d3115048b143
python3.9-debuginfo-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: c7a34cdfbec7c08a762e7d3a475eea9ad9b56cbe3eae5ab09d55ec40eead9825
python3.9-debuginfo-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: c7a34cdfbec7c08a762e7d3a475eea9ad9b56cbe3eae5ab09d55ec40eead9825
python3.9-debugsource-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: ae7acaf17b437e0aabe003a3bad5a091687b383fbd8808c6a9c25e7e49bd0d47
python3.9-debugsource-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: ae7acaf17b437e0aabe003a3bad5a091687b383fbd8808c6a9c25e7e49bd0d47
Red Hat Enterprise Linux for ARM 64 9
SRPM
python3.9-3.9.14-1.el9_1.2.src.rpm
SHA-256: 466a54fd6ecb15a9dfb03c1e78ae439abb1d70de1901907a1f32a0d08ce1ba86
aarch64
python-unversioned-command-3.9.14-1.el9_1.2.noarch.rpm
SHA-256: 618b8f1198c5134a98a21d7672c0a632902a20b6defc978731eaff5b7086a03c
python3-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: 1e28e732d7bab46220502df70c9d2d77b52e53cd7ab93d80abdd955cbcc53b95
python3-devel-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: 336540a5ae5470509a8760b13905af23389504c5866b15885cefff5d90b991d7
python3-libs-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: 46286026439ee2c155773ec10e95227f9da39333a469206dd88bb5e96cde2a06
python3-tkinter-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: 5ba22108fc9c7eb62535667ac6d2e38773180aeef2b67d6df075232712d37da4
python3.9-debuginfo-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: bdf4d0a63b02ecf17010e0ac995a8ccb11ec88783e1735324699c0fe0738d755
python3.9-debuginfo-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: bdf4d0a63b02ecf17010e0ac995a8ccb11ec88783e1735324699c0fe0738d755
python3.9-debugsource-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: 04d78d77b6c84206a7978dc5e3abcd62bc9cee91726deaf391aefde5ca4a64f8
python3.9-debugsource-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: 04d78d77b6c84206a7978dc5e3abcd62bc9cee91726deaf391aefde5ca4a64f8
Red Hat CodeReady Linux Builder for x86_64 9
SRPM
x86_64
python3-3.9.14-1.el9_1.2.i686.rpm
SHA-256: cd80993ba5726d73d350cc37662dd09e070cd3386b7112cf961f34d484e61210
python3-debug-3.9.14-1.el9_1.2.i686.rpm
SHA-256: 36e0affd006a5804d59f1898b3ac3c8eeee7e263d10ffe07d1fdc12eb58d8445
python3-debug-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: bfb0f7d301a88b2a5c3132759560dc9394ad9b49599f25c568538886ba0e411a
python3-idle-3.9.14-1.el9_1.2.i686.rpm
SHA-256: 76efe2ab7cc0e561e6e0e0267ad4f55d912740ba9e99fc6582137cf6077e0e6c
python3-idle-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 3c13a7f467910e965de0324c6b704f08f7dbd013a87f4d5c062e9de7810e7815
python3-test-3.9.14-1.el9_1.2.i686.rpm
SHA-256: b8417033361cc63fdf283c03040155776d5cb882005b8afffc5a8b0f0bee0008
python3-test-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: b788bb48ffafd9e60493adfa5d5a09100660ac3d6470ca22d4e62242cb9f458d
python3-tkinter-3.9.14-1.el9_1.2.i686.rpm
SHA-256: ccfb8bce73fad41c971be3856da8091824d879238fd738f769727ad2a827c527
python3.9-debuginfo-3.9.14-1.el9_1.2.i686.rpm
SHA-256: e47694ba863a943d0ba16961f9bada4bb12a47407a5f18c1a49ef38149ab3b73
python3.9-debuginfo-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 1febc1b0f1895fdbb3b75f620dc7deba1e97aefc1db2571fafd88e59c56dc10f
python3.9-debugsource-3.9.14-1.el9_1.2.i686.rpm
SHA-256: f5be67ba51aaa1361708c4f0ee8a4e8be5488f789e9c2ef7768efb3c178d6413
python3.9-debugsource-3.9.14-1.el9_1.2.x86_64.rpm
SHA-256: 6579d0fc52846523ae07c0ce4f8194fff6e390a20e7e3507b546d5725a046e94
Red Hat CodeReady Linux Builder for Power, little endian 9
SRPM
ppc64le
python3-debug-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: 2c1acf6a54a65e158cbb98a81bb304a67a927a7dfe159c2c821fe785f7d32c31
python3-idle-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: 8e9f9eacb70e2d5790717bcd5823ef086b2b125ce237bf9ff041acf1c31986ac
python3-test-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: b39a50d9c5167ebd92c4828eba9269527223ab10d9deadebaf0ce8b4c44a0960
python3.9-debuginfo-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: c7a34cdfbec7c08a762e7d3a475eea9ad9b56cbe3eae5ab09d55ec40eead9825
python3.9-debugsource-3.9.14-1.el9_1.2.ppc64le.rpm
SHA-256: ae7acaf17b437e0aabe003a3bad5a091687b383fbd8808c6a9c25e7e49bd0d47
Red Hat CodeReady Linux Builder for ARM 64 9
SRPM
aarch64
python3-debug-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: 83571abb26df28ca37c6db3388601795a36e237a0b77cceb34d2c55d7a155204
python3-idle-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: becd1d8f7b6976048464dfe06c5d33b6ce1e4ea9d970e1aefdd8ee0ac79ea47d
python3-test-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: 54b30602e7e2b3367889dfadfe7ae245c4dab0ad591b2489ff79a1eebf4ddbf7
python3.9-debuginfo-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: bdf4d0a63b02ecf17010e0ac995a8ccb11ec88783e1735324699c0fe0738d755
python3.9-debugsource-3.9.14-1.el9_1.2.aarch64.rpm
SHA-256: 04d78d77b6c84206a7978dc5e3abcd62bc9cee91726deaf391aefde5ca4a64f8
Red Hat CodeReady Linux Builder for IBM z Systems 9
SRPM
s390x
python3-debug-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: da496eaf1d01e71376315e1d60481457397a54f062998b74b24ae42144790bb2
python3-idle-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: ede8df64a185f61fb56efef2f98578b9fb411da79e60c9605480c7b246789de1
python3-test-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 85210a17d0bfeaab4a36244dbf434a85cc46ef3e60325b1dbe86d0ae2a89cad6
python3.9-debuginfo-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 9783c3a46a13e11ff8118cb7494a262a9c83bf65304b1615ba357c1f26a88f5e
python3.9-debugsource-3.9.14-1.el9_1.2.s390x.rpm
SHA-256: 408f96a8e82ee7cb173dc3e3a0d620378a62268bd98b8a46627ca9d5891d9f1a
Related news
Ubuntu Security Notice 6891-1 - It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 18.04 LTS. It was discovered that Python incorrectly used regular expressions vulnerable to catastrophic backtracking. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing cryptographic signature checks
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
An update for the python38:3.8 and python38-devel:3.8 modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-10735: A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not a...
Red Hat Security Advisory 2023-2104-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...
Red Hat Security Advisory 2023-2061-01 - Multicluster Engine for Kubernetes 2.1.6 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-2023-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While ...
Red Hat Security Advisory 2023-1454-01 - An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat OpenShift Service Mesh Containers for 2.3.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server t...
The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...
Red Hat Security Advisory 2023-0931-01 - Update information for Logging Subsystem 5.4.12 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-0932-01 - Update information for Logging Subsystem 5.6.3 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-1170-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Red Hat Security Advisory 2023-0930-01 - Update information for Logging Subsystem 5.5.8 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.
Logging Subsystem 5.4.12 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to alloc...
Logging Subsystem 5.5.8 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...
Red Hat OpenShift Data Foundation 4.12.1 Bug Fix Update Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functions.
Logging Subsystem 5.6.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...
Ubuntu Security Notice 5888-1 - It was discovered that Python incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. Hamza Avvan discovered that Python incorrectly handled certain inputs. If a user or an automated system were tricked into running a specially crafted input, a remote attacker could possibly use this issue to execute arbitrary code.
Red Hat Security Advisory 2023-0833-01 - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include denial of service, information leakage, and open redirection vulnerabilities.
An update for python3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-10735: A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this v...
platform_callback_stub in misc subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege.
Ubuntu Security Notice 5767-2 - USN-5767-1 fixed a vulnerability in Python. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that Python incorrectly handled certain IDNA inputs. An attacker could possibly use this issue to expose sensitive information denial of service, or cause a crash.
Ubuntu Security Notice 5767-1 - Nicky Mouha discovered that Python incorrectly handled certain SHA-3 internals. An attacker could possibly use this issue to cause a crash or execute arbitrary code. It was discovered that Python incorrectly handled certain IDNA inputs. An attacker could possibly use this issue to expose sensitive information denial of service, or cause a crash.
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.